wget: Security fixes CVE-2018-20483

Source: http://git.savannah.gnu.org/cgit/wget.git/
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/
Description:

Fixes CVE-2018-20483

(From OE-Core rev: c901bc8cd9de5853185af2059c6f1efeb4ccdd60)

Signed-off-by: Aviraj CJ <acj@cisco.com>
[Affects Wget before 1.20.1]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch

@@ -0,0 +1,73 @@
+From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 13:51:48 +0100
+Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default
+
+* src/init.c (defaults): Set enable_xattr to false by default
+* src/main.c (print_help): Reverse option logic of --xattr
+* doc/wget.texi: Add description for --xattr
+
+Users may not be aware that the origin URL and Referer are saved
+including credentials, and possibly access tokens within
+the urls.
+
+CVE: CVE-2018-20483 patch 1
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ doc/wget.texi | 8 ++++++++
+ src/init.c    | 4 ----
+ src/main.c    | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/doc/wget.texi b/doc/wget.texi
+index eaf6b380..3f9d7c1c 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -540,6 +540,14 @@ right NUMBER.
+ Set preferred location for Metalink resources. This has effect if multiple
+ resources with same priority are available.
+ 
++@cindex xattr
++@item --xattr
++Enable use of file system's extended attributes to save the
++original URL and the Referer HTTP header value if used.
++
++Be aware that the URL might contain private information like
++access tokens or credentials.
++
+ 
+ @cindex force html
+ @item -F
+diff --git a/src/init.c b/src/init.c
+index eb81ab47..800970c5 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -509,11 +509,7 @@ defaults (void)
+   opt.hsts = true;
+ #endif
+ 
+-#ifdef ENABLE_XATTR
+-  opt.enable_xattr = true;
+-#else
+   opt.enable_xattr = false;
+-#endif
+ }
+ 
+ /* Return the user's home directory (strdup-ed), or NULL if none is
+diff --git a/src/main.c b/src/main.c
+index 81db9319..6ac1621b 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -754,7 +754,7 @@ Download:\n"),
+ #endif
+ #ifdef ENABLE_XATTR
+     N_("\
+-       --no-xattr                  turn off storage of metadata in extended file attributes\n"),
++       --xattr                     turn on storage of metadata in extended file attributes\n"),
+ #endif
+     "\n",
+ 
+-- 
+2.19.1
+

meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch

@@ -0,0 +1,127 @@
+From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 14:38:18 +0100
+Subject: [PATCH 2/2] Don't save user/pw with --xattr
+
+Also the Referer info is reduced to scheme+host+port.
+
+* src/ftp.c (getftp): Change params of set_file_metadata()
+* src/http.c (gethttp): Change params of set_file_metadata()
+* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
+  reduce Referer value to scheme/host/port.
+* src/xattr.h: Change prototype of set_file_metadata()
+
+CVE: CVE-2018-20483 patch 2
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ src/ftp.c   |  2 +-
+ src/http.c  |  4 ++--
+ src/xattr.c | 24 ++++++++++++++++++++----
+ src/xattr.h |  3 ++-
+ 4 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/src/ftp.c b/src/ftp.c
+index 69148936..db8a6267 100644
+--- a/src/ftp.c
++++ b/src/ftp.c
+@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n"));
+ 
+ #ifdef ENABLE_XATTR
+   if (opt.enable_xattr)
+-    set_file_metadata (u->url, NULL, fp);
++    set_file_metadata (u, NULL, fp);
+ #endif
+ 
+   fd_close (local_sock);
+diff --git a/src/http.c b/src/http.c
+index 77bdbbed..472c328f 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+   if (opt.enable_xattr)
+     {
+       if (original_url != u)
+-        set_file_metadata (u->url, original_url->url, fp);
++        set_file_metadata (u, original_url, fp);
+       else
+-        set_file_metadata (u->url, NULL, fp);
++        set_file_metadata (u, NULL, fp);
+     }
+ #endif
+ 
+diff --git a/src/xattr.c b/src/xattr.c
+index 66524226..0f20fadf 100644
+--- a/src/xattr.c
++++ b/src/xattr.c
+@@ -21,6 +21,7 @@
+ #include <string.h>
+ 
+ #include "log.h"
++#include "utils.h"
+ #include "xattr.h"
+ 
+ #ifdef USE_XATTR
+@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp)
+ #endif /* USE_XATTR */
+ 
+ int
+-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
++set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp)
+ {
+   /* Save metadata about where the file came from (requested, final URLs) to
+    * user POSIX Extended Attributes of retrieved file.
+@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
+    * [http://0pointer.de/lennart/projects/mod_mime_xattr/].
+    */
+   int retval = -1;
++  char *value;
+ 
+   if (!origin_url || !fp)
+     return retval;
+ 
+-  retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
+-  if ((!retval) && referrer_url)
+-    retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
++  value = url_string (origin_url, URL_AUTH_HIDE);
++  retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
++  xfree (value);
++
++  if (!retval && referrer_url)
++    {
++	  struct url u;
++
++	  memset(&u, 0, sizeof(u));
++      u.scheme = referrer_url->scheme;
++      u.host = referrer_url->host;
++      u.port = referrer_url->port;
++
++      value = url_string (&u, 0);
++      retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
++      xfree (value);
++    }
+ 
+   return retval;
+ }
+diff --git a/src/xattr.h b/src/xattr.h
+index 10f3ed11..40c7a8d3 100644
+--- a/src/xattr.h
++++ b/src/xattr.h
+@@ -16,12 +16,13 @@
+    along with this program; if not, see <http://www.gnu.org/licenses/>.  */
+ 
+ #include <stdio.h>
++#include <url.h>
+ 
+ #ifndef _XATTR_H
+ #define _XATTR_H
+ 
+ /* Store metadata name/value attributes against fp. */
+-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp);
++int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp);
+ 
+ #if defined(__linux)
+ /* libc on Linux has fsetxattr (5 arguments). */
+-- 
+2.19.1
+

meta/recipes-extended/wget/wget_1.19.5.bb

@@ -2,6 +2,8 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0002-improve-reproducibility.patch \
            file://CVE-2019-5953.patch \
+           file://CVE-2018-20483_p1.patch \
+           file://CVE-2018-20483_p2.patch \
           "
 
 SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"